devise_saml_authenticatable 1.6.3 → 1.9.0

data/spec/controllers/devise/saml_sessions_controller_spec.rb

@@ -1,4 +1,5 @@
 require 'rails_helper'
+require 'support/ruby_saml_support'
 
 # The important parts from devise
 class DeviseController < ApplicationController
@@ -8,112 +9,122 @@ class DeviseController < ApplicationController
     User
   end
 
-  def require_no_authentication
+  def resource_name
+    'users'
+  end
+
+  def require_no_authentication; end
+
+  def set_flash_message!(key, kind, _options = {})
+    flash[key] = I18n.t("devise.sessions.#{kind}")
   end
 end
+
 class Devise::SessionsController < DeviseController
   def destroy
     sign_out
-    redirect_to after_sign_out_path_for(:user)
-  end
-
-  def verify_signed_out_user
-    # no-op for these tests
+    redirect_to after_sign_out_path_for(:user), allow_other_host: true
   end
 end
 
 require_relative '../../../app/controllers/devise/saml_sessions_controller'
 
 describe Devise::SamlSessionsController, type: :controller do
-  let(:idp_providers_adapter) { spy("Stub IDPSettings Adaptor") }
+  include RubySamlSupport
+
+  let(:idp_providers_adapter) { spy('Stub IDPSettings Adaptor') }
 
   before do
-    @request.env["devise.mapping"] = Devise.mappings[:user]
-    allow(idp_providers_adapter).to receive(:settings).and_return({
-      assertion_consumer_service_url: "acs_url",
-      assertion_consumer_service_binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-      name_identifier_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
-      issuer: "sp_issuer",
-      idp_entity_id: "http://www.example.com",
-      authn_context: "",
-      idp_slo_target_url: "http://idp_slo_url",
-      idp_sso_target_url: "http://idp_sso_url",
-      idp_cert: "idp_cert"
+    @request.env['devise.mapping'] = Devise.mappings[:user]
+    settings = {
+      assertion_consumer_service_url: 'acs_url',
+      assertion_consumer_service_binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+      name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
+      issuer: 'sp_issuer',
+      idp_entity_id: 'http://www.example.com',
+      authn_context: '',
+      idp_cert: 'idp_cert'
+    }
+    with_ruby_saml_1_12_or_greater(proc {
+      settings.merge!(
+        idp_slo_service_url: 'http://idp_slo_url',
+        idp_sso_service_url: 'http://idp_sso_url'
+      )
+    }, else_do: proc {
+      settings.merge!(
+        idp_slo_target_url: 'http://idp_slo_url',
+        idp_sso_target_url: 'http://idp_sso_url'
+      )
     })
+    allow(idp_providers_adapter).to receive(:settings).and_return(settings)
   end
 
-  before do
-    if Rails::VERSION::MAJOR < 5 && Gem::Version.new(RUBY_VERSION) > Gem::Version.new("2.6")
-      # we still want to support Rails 4
-      # patch tests using snippet from https://github.com/rails/rails/issues/34790#issuecomment-483607370
-      class ActionController::TestResponse < ActionDispatch::TestResponse
-        def recycle!
-          @mon_mutex_owner_object_id = nil
-          @mon_mutex = nil
-          initialize
-        end
-      end
+  describe '#new' do
+    let(:saml_response) do
+      File.read(File.join(File.dirname(__FILE__), '../../support', 'response_encrypted_nameid.xml.base64'))
     end
-  end
 
-  describe '#new' do
-    let(:saml_response) { File.read(File.join(File.dirname(__FILE__), '../../support', 'response_encrypted_nameid.xml.base64')) }
+    subject(:do_get) do
+      get :new, params: { 'SAMLResponse' => saml_response }
+    end
 
-    subject(:do_get) {
-      if Rails::VERSION::MAJOR > 4
-        get :new, params: {"SAMLResponse" => saml_response}
-      else
-        get :new, "SAMLResponse" => saml_response
+    context 'when using the default saml config' do
+      it 'redirects to the IdP SSO target url' do
+        do_get
+        expect(response).to redirect_to(%r{\Ahttp://localhost:8009/saml/auth\?SAMLRequest=})
       end
-    }
 
-    context "when using the default saml config" do
-      it "redirects to the IdP SSO target url" do
+      it 'stores saml_transaction_id in the session' do
         do_get
-        expect(response).to redirect_to(%r(\Ahttp://localhost:8009/saml/auth\?SAMLRequest=))
+        if OneLogin::RubySaml::Authrequest.public_instance_methods.include?(:request_id)
+          expect(session[:saml_transaction_id]).to be_present
+        end
       end
     end
 
-    context "with a specified idp" do
+    context 'with a specified idp' do
       before do
         Devise.idp_settings_adapter = idp_providers_adapter
       end
 
-      it "redirects to the associated IdP SSO target url" do
+      it 'redirects to the associated IdP SSO target url' do
         do_get
-        expect(response).to redirect_to(%r(\Ahttp://idp_sso_url\?SAMLRequest=))
+        expect(response).to redirect_to(%r{\Ahttp://idp_sso_url\?SAMLRequest=})
       end
 
-      it "uses the DefaultIdpEntityIdReader" do
+      it 'stores saml_transaction_id in the session' do
+        do_get
+        if OneLogin::RubySaml::Authrequest.public_instance_methods.include?(:request_id)
+          expect(session[:saml_transaction_id]).to be_present
+        end
+      end
+
+      it 'uses the DefaultIdpEntityIdReader' do
         expect(DeviseSamlAuthenticatable::DefaultIdpEntityIdReader).to receive(:entity_id)
         do_get
-        expect(idp_providers_adapter).to have_received(:settings).with(nil)
+        expect(idp_providers_adapter).to have_received(:settings).with(nil, request)
       end
 
-      context "with a relay_state lambda defined" do
-        let(:relay_state) { ->(request) { "123" } }
+      context 'with a relay_state lambda defined' do
+        let(:relay_state) { ->(_request) { '123' } }
 
-        it "includes the RelayState param in the request to the IdP" do
+        it 'includes the RelayState param in the request to the IdP' do
           expect(Devise).to receive(:saml_relay_state).at_least(:once).and_return(relay_state)
           do_get
-          expect(response).to redirect_to(%r(\Ahttp://idp_sso_url\?SAMLRequest=.*&RelayState=123))
+          expect(response).to redirect_to(%r{\Ahttp://idp_sso_url\?SAMLRequest=.*&RelayState=123})
         end
       end
 
-      context "with a specified idp entity id reader" do
+      context 'with a specified idp entity id reader' do
         class OurIdpEntityIdReader
           def self.entity_id(params)
             params[:entity_id]
           end
         end
 
-        subject(:do_get) {
-          if Rails::VERSION::MAJOR > 4
-            get :new, params: {entity_id: "http://www.example.com"}
-          else
-            get :new, entity_id: "http://www.example.com"
-          end
-        }
+        subject(:do_get) do
+          get :new, params: { entity_id: 'http://www.example.com' }
+        end
 
         before do
           @default_reader = Devise.idp_entity_id_reader
@@ -124,10 +135,10 @@ describe Devise::SamlSessionsController, type: :controller do
           Devise.idp_entity_id_reader = @default_reader
         end
 
-        it "redirects to the associated IdP SSO target url" do
+        it 'redirects to the associated IdP SSO target url' do
           do_get
-          expect(idp_providers_adapter).to have_received(:settings).with("http://www.example.com")
-          expect(response).to redirect_to(%r(\Ahttp://idp_sso_url\?SAMLRequest=))
+          expect(idp_providers_adapter).to have_received(:settings).with('http://www.example.com', request)
+          expect(response).to redirect_to(%r{\Ahttp://idp_sso_url\?SAMLRequest=})
         end
       end
     end
@@ -136,7 +147,7 @@ describe Devise::SamlSessionsController, type: :controller do
   describe '#metadata' do
     let(:saml_config) { Devise.saml_config.dup }
 
-    context "with the default configuration" do
+    context 'with the default configuration' do
       it 'generates metadata' do
         get :metadata
 
@@ -147,20 +158,20 @@ describe Devise::SamlSessionsController, type: :controller do
       end
     end
 
-    context "with a specified IDP" do
-      let(:saml_config) { controller.saml_config("anything") }
+    context 'with a specified IDP' do
+      let(:saml_config) { controller.saml_config('anything') }
 
       before do
         Devise.idp_settings_adapter = idp_providers_adapter
         Devise.saml_configure do |settings|
-          settings.assertion_consumer_service_url = "http://localhost:3000/users/saml/auth"
-          settings.assertion_consumer_service_binding = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
-          settings.name_identifier_format = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
-          settings.issuer = "http://localhost:3000"
+          settings.assertion_consumer_service_url = 'http://localhost:3000/users/saml/auth'
+          settings.assertion_consumer_service_binding = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
+          settings.name_identifier_format = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
+          settings.issuer = 'http://localhost:3000'
         end
       end
 
-      it "generates the same service metadata" do
+      it 'generates the same service metadata' do
         get :metadata
 
         # Remove ID that can vary across requests
@@ -172,79 +183,131 @@ describe Devise::SamlSessionsController, type: :controller do
   end
 
   describe '#destroy' do
-    before do
-      allow(controller).to receive(:sign_out)
-    end
+    subject { delete :destroy }
 
-    context "when using the default saml config" do
-      it "signs out and redirects to the IdP" do
-        delete :destroy
-        expect(controller).to have_received(:sign_out)
-        expect(response).to redirect_to(%r(\Ahttp://localhost:8009/saml/logout\?SAMLRequest=))
+    context 'when user is signed out' do
+      before do
+        class Devise::SessionsController < DeviseController
+          def all_signed_out?
+            true
+          end
+        end
       end
-    end
 
-    context "when configured to use a non-transient name identifier" do
-      before do
-        allow(Devise.saml_config).to receive(:name_identifier_format).and_return("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent")
+      shared_examples 'not create SP initiated logout request' do
+        it do
+          expect(OneLogin::RubySaml::Logoutrequest).not_to receive(:new)
+          subject
+        end
+      end
+
+      context 'when Devise.saml_sign_out_success_url is set' do
+        before do
+          allow(Devise).to receive(:saml_sign_out_success_url).and_return('http://localhost:8009/logged_out')
+        end
+
+        it 'redirect to saml_sign_out_success_url' do
+          is_expected.to redirect_to 'http://localhost:8009/logged_out'
+          expect(flash[:notice]).to eq I18n.t('devise.sessions.already_signed_out')
+        end
+
+        it_behaves_like 'not create SP initiated logout request'
       end
 
-      it "includes a LogoutRequest with the name identifier and session index", :aggregate_failures do
-        controller.current_user = Struct.new(:email, :session_index).new("user@example.com", "sessionindex")
+      context 'when Devise.saml_sign_out_success_url is not set' do
+        before do
+          class Devise::SessionsController < DeviseController
+            def after_sign_out_path_for(_)
+              'http://localhost:8009/logged_out'
+            end
+          end
+        end
 
-        actual_settings = nil
-        expect_any_instance_of(OneLogin::RubySaml::Logoutrequest).to receive(:create) do |_, settings|
-          actual_settings = settings
-          "http://localhost:8009/saml/logout"
+        it "redirect to devise's after sign out path" do
+          is_expected.to redirect_to 'http://localhost:8009/logged_out'
+          expect(flash[:notice]).to eq I18n.t('devise.sessions.already_signed_out')
         end
 
-        delete :destroy
-        expect(actual_settings.name_identifier_value).to eq("user@example.com")
-        expect(actual_settings.sessionindex).to eq("sessionindex")
+        it_behaves_like 'not create SP initiated logout request'
       end
     end
 
-    context "with a specified idp" do
+    context 'when user is not signed out' do
       before do
-        Devise.idp_settings_adapter = idp_providers_adapter
+        class Devise::SessionsController < DeviseController
+          def all_signed_out?
+            false
+          end
+        end
+        allow(controller).to receive(:sign_out)
       end
 
-      it "redirects to the associated IdP SSO target url" do
-        expect(DeviseSamlAuthenticatable::DefaultIdpEntityIdReader).to receive(:entity_id)
-        delete :destroy
-        expect(controller).to have_received(:sign_out)
-        expect(response).to redirect_to(%r(\Ahttp://idp_slo_url\?SAMLRequest=))
+      context 'when using the default saml config' do
+        it 'signs out and redirects to the IdP' do
+          delete :destroy
+          expect(controller).to have_received(:sign_out)
+          expect(response).to redirect_to(%r{\Ahttp://localhost:8009/saml/logout\?SAMLRequest=})
+        end
       end
 
-      context "with a specified idp entity id reader" do
-        class OurIdpEntityIdReader
-          def self.entity_id(params)
-            params[:entity_id]
-          end
+      context 'when configured to use a non-transient name identifier' do
+        before do
+          allow(Devise.saml_config).to receive(:name_identifier_format).and_return('urn:oasis:names:tc:SAML:2.0:nameid-format:persistent')
         end
 
-        subject(:do_delete) {
-          if Rails::VERSION::MAJOR > 4
-            delete :destroy, params: {entity_id: "http://www.example.com"}
-          else
-            delete :destroy, entity_id: "http://www.example.com"
+        it 'includes a LogoutRequest with the name identifier and session index', :aggregate_failures do
+          controller.current_user = Struct.new(:email, :session_index).new('user@example.com', 'sessionindex')
+
+          actual_settings = nil
+          expect_any_instance_of(OneLogin::RubySaml::Logoutrequest).to receive(:create) do |_, settings|
+            actual_settings = settings
+            'http://localhost:8009/saml/logout'
           end
-        }
 
-        before do
-          @default_reader = Devise.idp_entity_id_reader
-          Devise.idp_entity_id_reader = OurIdpEntityIdReader # which will have some different behavior
+          delete :destroy
+          expect(actual_settings.name_identifier_value).to eq('user@example.com')
+          expect(actual_settings.sessionindex).to eq('sessionindex')
         end
+      end
 
-        after do
-          Devise.idp_entity_id_reader = @default_reader
+      context 'with a specified idp' do
+        before do
+          Devise.idp_settings_adapter = idp_providers_adapter
         end
 
-        it "redirects to the associated IdP SLO target url" do
-          do_delete
+        it 'redirects to the associated IdP SSO target url' do
+          expect(DeviseSamlAuthenticatable::DefaultIdpEntityIdReader).to receive(:entity_id)
+          delete :destroy
           expect(controller).to have_received(:sign_out)
-          expect(idp_providers_adapter).to have_received(:settings).with("http://www.example.com")
-          expect(response).to redirect_to(%r(\Ahttp://idp_slo_url\?SAMLRequest=))
+          expect(response).to redirect_to(%r{\Ahttp://idp_slo_url\?SAMLRequest=})
+        end
+
+        context 'with a specified idp entity id reader' do
+          class OurIdpEntityIdReader
+            def self.entity_id(params)
+              params[:entity_id]
+            end
+          end
+
+          subject(:do_delete) do
+            delete :destroy, params: { entity_id: 'http://www.example.com' }
+          end
+
+          before do
+            @default_reader = Devise.idp_entity_id_reader
+            Devise.idp_entity_id_reader = OurIdpEntityIdReader # which will have some different behavior
+          end
+
+          after do
+            Devise.idp_entity_id_reader = @default_reader
+          end
+
+          it 'redirects to the associated IdP SLO target url' do
+            do_delete
+            expect(controller).to have_received(:sign_out)
+            expect(idp_providers_adapter).to have_received(:settings).with('http://www.example.com', request)
+            expect(response).to redirect_to(%r{\Ahttp://idp_slo_url\?SAMLRequest=})
+          end
         end
       end
     end
@@ -264,14 +327,10 @@ describe Devise::SamlSessionsController, type: :controller do
       expect(response.status).to eq 500
     end
 
-    context "when receiving a logout response from the IdP after redirecting an SP logout request" do
-      subject(:do_post) {
-        if Rails::VERSION::MAJOR > 4
-          post :idp_sign_out, params: {SAMLResponse: "stubbed_response"}
-        else
-          post :idp_sign_out, SAMLResponse: "stubbed_response"
-        end
-      }
+    context 'when receiving a logout response from the IdP after redirecting an SP logout request' do
+      subject(:do_post) do
+        post :idp_sign_out, params: { SAMLResponse: 'stubbed_response' }
+      end
 
       it 'accepts a LogoutResponse and redirects sign_in' do
         do_post
@@ -293,20 +352,18 @@ describe Devise::SamlSessionsController, type: :controller do
       end
     end
 
-    context "when receiving an IdP logout request" do
-      subject(:do_post) {
-        if Rails::VERSION::MAJOR > 4
-          post :idp_sign_out, params: {SAMLRequest: "stubbed_logout_request"}
-        else
-          post :idp_sign_out, SAMLRequest: "stubbed_logout_request"
-        end
-      }
+    context 'when receiving an IdP logout request' do
+      subject(:do_post) do
+        post :idp_sign_out, params: { SAMLRequest: 'stubbed_logout_request' }
+      end
 
-      let(:saml_request) { double(:slo_logoutrequest, {
-        id: 42,
-        name_id: name_id,
-        issuer: "http://www.example.com"
-      }) }
+      let(:saml_request) do
+        double(:slo_logoutrequest, {
+                 id: 42,
+                 name_id: name_id,
+                 issuer: 'http://www.example.com'
+               })
+      end
       let(:name_id) { '12312312' }
       before do
         allow(OneLogin::RubySaml::SloLogoutrequest).to receive(:new).and_return(saml_request)
@@ -319,27 +376,28 @@ describe Devise::SamlSessionsController, type: :controller do
         expect(User).to have_received(:reset_session_key_for).with(name_id)
       end
 
-      context "with a specified idp" do
-        let(:idp_entity_id) { "http://www.example.com" }
+      context 'with a specified idp' do
+        let(:idp_entity_id) { 'http://www.example.com' }
         before do
           Devise.idp_settings_adapter = idp_providers_adapter
         end
 
-        it "accepts a LogoutResponse for the associated slo_target_url and redirects to sign_in" do
+        it 'accepts a LogoutResponse for the associated slo_target_url and redirects to sign_in' do
           do_post
           expect(response.status).to eq 302
-          expect(idp_providers_adapter).to have_received(:settings).with(idp_entity_id)
-          expect(response).to redirect_to "http://localhost/logout_response"
+          expect(idp_providers_adapter).to have_received(:settings).with(idp_entity_id, request)
+          expect(response).to redirect_to 'http://localhost/logout_response'
         end
       end
 
-      context "with a relay_state lambda defined" do
-        let(:relay_state) { ->(request) { "123" } }
+      context 'with a relay_state lambda defined' do
+        let(:relay_state) { ->(_request) { '123' } }
 
-        it "includes the RelayState param in the request to the IdP" do
+        it 'includes the RelayState param in the request to the IdP' do
           expect(Devise).to receive(:saml_relay_state).at_least(:once).and_return(relay_state)
           do_post
-          expect(saml_response).to have_received(:create).with(Devise.saml_config, saml_request.id, nil, {RelayState: "123"})
+          expect(saml_response).to have_received(:create).with(Devise.saml_config, saml_request.id, nil,
+                                                               { RelayState: '123' })
         end
       end
 

data/spec/devise_saml_authenticatable/model_spec.rb

@@ -106,6 +106,32 @@ describe Devise::Models::SamlAuthenticatable do
       end
     end
 
+    context "when configured to create a user by a proc and the user is not found" do
+      before do
+        create_user_proc = -> (model_class, _saml_response, auth_value) { model_class == Model && auth_value == 'user@example.com' }
+        allow(Devise).to receive(:saml_create_user).and_return(create_user_proc)
+      end
+
+      context "when the proc returns true" do
+        it "creates and returns a new user with the name identifier and given attributes" do
+          expect(Model).to receive(:where).with(email: name_id).and_return([])
+          model = Model.authenticate_with_saml(response, nil)
+          expect(model.email).to eq('user@example.com')
+          expect(model.name).to  eq('A User')
+          expect(model.saved).to be(true)
+        end
+      end
+
+      context "when the proc returns false" do
+        let(:name_id) { 'do_not_create@example.com' }
+
+        it "does not creates new user" do
+          expect(Model).to receive(:where).with(email: name_id).and_return([])
+          expect(Model.authenticate_with_saml(response, nil)).to be_nil
+        end
+      end
+    end
+
     context "when configured to update a user and the user is found" do
       before do
         allow(Devise).to receive(:saml_update_user).and_return(true)
@@ -120,8 +146,39 @@ describe Devise::Models::SamlAuthenticatable do
         expect(model.saved).to be(true)
       end
     end
+
+    context "when configured to update a user by a proc and the user is found" do
+      let(:user) { Model.new(email: 'old_mail@mail.com', name: 'old name', new_record: false) }
+
+      before do
+        update_user_proc = -> (model_class, _saml_response, auth_value) { model_class == Model && auth_value == 'user@example.com' }
+        allow(Devise).to receive(:saml_update_user).and_return(update_user_proc)
+      end
+
+      context "when the proc returns true" do
+        it "updates user with given attributes" do
+          expect(Model).to receive(:where).with(email: name_id).and_return([user])
+          model = Model.authenticate_with_saml(response, nil)
+          expect(model.email).to eq('user@example.com')
+          expect(model.name).to  eq('A User')
+          expect(model.saved).to be(true)
+        end
+      end
+
+      context "when the proc returns false" do
+        let(:name_id) { 'do_not_update@example.com' }
+
+        it "does not update user" do
+          expect(Model).to receive(:where).with(email: name_id).and_return([user])
+          model = Model.authenticate_with_saml(response, nil)
+          expect(model.email).to eq('old_mail@mail.com')
+          expect(model.name).to  eq('old name')
+        end
+      end
+    end
   end
 
+
   context "when configured to create an user and the user is not found" do
     before do
       allow(Devise).to receive(:saml_create_user).and_return(true)
@@ -136,6 +193,35 @@ describe Devise::Models::SamlAuthenticatable do
     end
   end
 
+  context "when configured to create a user by a proc and the user is not found" do
+    let(:create_user_proc) { -> (_model_class, saml_response, _auth_value) { saml_response.raw_response.issuers.first == 'to_create_idp' } }
+
+    before do
+      allow(Devise).to receive(:saml_create_user).and_return(create_user_proc)
+    end
+
+    context "when the proc returns true" do
+      let(:response) { double(:response, issuers: ['to_create_idp'], attributes: attributes, name_id: name_id) }
+
+      it "creates and returns a new user with the name identifier and given attributes" do
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+        model = Model.authenticate_with_saml(response, nil)
+        expect(model.email).to eq('user@example.com')
+        expect(model.name).to  eq('A User')
+        expect(model.saved).to be(true)
+      end
+    end
+
+    context "when the proc returns false" do
+      let(:response) { double(:response, issuers: ['do_not_create_idp'], attributes: attributes, name_id: name_id) }
+
+      it "does not creates new user" do
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([])
+        expect(Model.authenticate_with_saml(response, nil)).to be_nil
+      end
+    end
+  end
+
   context "when configured to update an user" do
     before do
       allow(Devise).to receive(:saml_update_user).and_return(true)
@@ -156,6 +242,38 @@ describe Devise::Models::SamlAuthenticatable do
     end
   end
 
+  context "when configured to update a user by a proc and the user is found" do
+    let(:user) { Model.new(email: 'old_mail@mail.com', name: 'old name', new_record: false) }
+    let(:update_user_proc) { -> (_model_class, saml_response, _auth_value) { saml_response.raw_response.issuers.first == 'to_update_idp' } }
+
+    before do
+      allow(Devise).to receive(:saml_update_user).and_return(update_user_proc)
+    end
+
+    context "when the proc returns true" do
+      let(:response) { double(:response, issuers: ['to_update_idp'], attributes: attributes, name_id: name_id) }
+
+      it "updates user with given attributes" do
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        model = Model.authenticate_with_saml(response, nil)
+        expect(model.email).to eq('user@example.com')
+        expect(model.name).to  eq('A User')
+        expect(model.saved).to be(true)
+      end
+    end
+
+    context "when the proc returns false" do
+      let(:response) { double(:response, issuers: ['do_not_update_idp'], attributes: attributes, name_id: name_id) }
+
+      it "does not update user" do
+        expect(Model).to receive(:where).with(email: 'user@example.com').and_return([user])
+        model = Model.authenticate_with_saml(response, nil)
+        expect(model.email).to eq('old_mail@mail.com')
+        expect(model.name).to  eq('old name')
+      end
+    end
+  end
+
   context "when configured with a case-insensitive key" do
     shared_examples "correct downcasing" do
       before do